Transcription

2 About Yubico Disclaimer As the inventors of the YubiKey, Yubico sets new world standards for secure login across the Internet. Our unique USB and NFC key offers one-touch strong authentication supporting multiple authentication protocols for all devices and platforms - with no driver or client software needed. With successful enterprise deployments in 140 countries, including 7 of the top 10 Internet companies, Yubico is adding the consumer market to its list of strong authentication converts. Founded in 2007, Yubico is privately held with offices in Palo Alto, Calif., Stockholm, and London. For more information visit yubico.com The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. Yubico shall have no liability for any error or damages of any kind resulting from the use of this document. The Yubico Software referenced in this document is licensed to you under the terms and conditions accompanying the software or as otherwise agreed between you or the company that you are representing. Trademarks Yubico and YubiKey are trademarks of Yubico Inc. Contact Information Yubico Inc 459 Hamilton Avenue, Suite 304 Palo Alto, CA USA yubi.co/contact YubiKey OSX Login 2015 Yubico. All rights reserved. Page 2 of 18

4 1 Configuration of YubiKeys It is recommended to have YubiKeys pre-configured with the HMAC-SHA1 Challenge- Response configuration before setting up the OS X Login. The YubiKey configuration can easily be done ahead of time, or even by Yubico at the initial purchase (for orders larger than 500 YubiKeys). For configuring YubiKeys in Challenge-Response mode personally, there are software applications provided by Yubico; the YubiKey Cross-Platform Personalization tool in both Graphical and Command Line interfaces. 1.1 Personalization Tool (recommended) The Personalization Tool is the simplest way to set up small numbers of YubiKeys (<500) with the Challenge-Response credential. 1) First, install the latest version of the YubiKey Personalization Tool from the App Store - https://itunes.apple.com/us/app/yubikey-personalization-tool/id ?mt=12. 2) Once the YubiKey Personalization Tool has been installed, insert a YubiKey in a USB port on your Mac and launch the YubiKey Personalization Tool. 3) Open the Settings tab at the top of the window, and ensure that the Logging Settings section has logging enabled, and the Yubico Output selected. 4) Open the Challenge Response tab at the top of the window: 5) In the Program in Challenge-Response mode menu, click on HMAC-SHA1. You ll then see the following window: YubiKey OSX Login 2015 Yubico. All rights reserved. Page 4 of 18

5 6) Locate the Configuration Slot section and select the Configuration Slot 2 option 7) If you wish to program multiple YubiKeys, select the Program Multiple YubiKeys and Automatically program YubiKeys when inserted options. This will instruct the application to automatically program YubiKeys when they are plugged, one at a time, into the USB port of the host machine until the application is stopped. 8) For added security, you may apply a Configuration Access Code this locks down the configuration so it cannot be changed without supplying the code. In the Configuration Protection section, select YubiKey(s) unprotected enable protection from the drop down menu, and either enter a 12 character hex access code, or select Use Serial Number. YubiKey OSX Login 2015 Yubico. All rights reserved. Page 5 of 18

6 9) Locate the HMAC-SHA1 Section. In this section, ensure the checkbox Require User input (button press) is NOT selected. 10) In the HMAC-SHA1 section, for the HMAC-SHA1 Mode, select the Variable input option. 11) Click the Generate button in to the right of the field labelled Secret Key (20 bytes Hex). Note: This secret key is essential for making a backup to configured YubiKeys. This value will be included in the configuration log generated when the YubiKey is configured (as long as you have that option enabled). Store this value in a safe location for generating backup or secondary YubiKeys for the OS X Challenge-Response Login. 12) In the Actions Section, click the Write Configuration button. This will configure the YubiKey. If the Program Multiple YubiKeys option was enabled, the Tool will continue to configure new YubiKeys each time they are plugged in until the Stop button is clicked. YubiKey OSX Login 2015 Yubico. All rights reserved. Page 6 of 18

7 1.2 Command Line Tool (advanced users) The Command Line Tool and library is useful for automating or integrating YubiKey Configuration. Integration of this library is outside the scope of this document, and focus will be on the command line interface. 1) First install the CLI (Command Line Interface) tool from the yubico developer s website at (https://developers.yubico.com/yubikey-personalization/releases/). If building your own release, the yubico-c library is a pre-requisite (https://developers.yubico.com/yubico-c/) 2) Once installed, launch the Tool in the command line and plug in the YubiKey. 3) To configure the YubiKey correctly in Challenge-Response mode for OSX, use the following format: ykpersonalize -2 y ochal-resp ochal-hmac o-chal-btn-trig o-hmac -lt64 oallow-update c<access CODE> -a<secret KEY> YubiKey OSX Login 2015 Yubico. All rights reserved. Page 7 of 18

8 2 Back up your Mac using Time Machine Before continuing this process, it is important to back up your system with Time Machine. If mistakes are made, it is possible to get locked out of your system. The only way to recover from this is to restore from a Time Machine backup made prior to editing the authorization file (Section 7.4). Yubico assumes no responsibility if you get locked out of your account(s). 1) Make sure your external hard drive used for Time Machine backups is plugged into your computer. Note: If you see the Time Machine icon in the OS X menu bar ( ), skip to step 6. 2) Click on the Apple menu at the top left, and select System Preferences 3) Click Time Machine YubiKey OSX Login 2015 Yubico. All rights reserved. Page 8 of 18

9 4) At the bottom, click the checkbox next to Show Time Machine in menu bar. 5) Close the Time Machine window. 6) Click on the Time Machine icon in the OS X menu bar and select Back Up Now. YubiKey OSX Login 2015 Yubico. All rights reserved. Page 9 of 18

10 3 Install Xcode Command Line Tools 1) Open a Terminal window and run the following command to install the Xcode Command Line Tools: Xcode-select --install You will be prompted that Xcode Command Line Tools need to be installed. Follow the prompts to complete the process. YubiKey OSX Login 2015 Yubico. All rights reserved. Page 10 of 18

11 4 Install Homebrew 1) Open a Terminal window and then run the following command to install Homebrew: ruby -e "$(curl -fssl https://raw.githubusercontent.com/homebrew/ins tall/master/install)" 2) Press Enter when prompted. 3) Enter your sudo password, and press Enter. Several warning pop-ups will appear these can be ignored. 4) With the Homebrew installation complete, enter the following command in Terminal to check for any issues from the installation, and then press Enter: brew doctor 5) If no issues were found, you should see the following message: Your system is ready to brew. YubiKey OSX Login 2015 Yubico. All rights reserved. Page 11 of 18

12 5 Install Yubico-PAM Now that you have Xcode Command Line Tools and Homebrew installed, you need to install the Yubico-PAM module. 1) Open a Terminal window, and run the following command: brew install yubico-pam The Yubico-PAM module should now be installed on your Mac. If you have OS X version (El Capitan), skip to Section 6. If you have OS X (Yosemite) or 10.9 (Mavericks), continue to section Move the pam_yubico.so file (OS X and earlier) If you have OS X (Yosemite) or earlier, run the following command in Terminal: sudo cp /usr/local/cellar/pam_yubico/2.20/lib/security/pam_yubico.so /usr/lib/pam/pam_yubico.so NOTE: The command above assumes you currently have pam_yubico version If you get an error message using this command, you may need to confirm that a different version of PAM isn t installed. To continue, skip to section 7. YubiKey OSX Login 2015 Yubico. All rights reserved. Page 12 of 18

13 6 Move pam_yubico.so to protected location (OS X only) Mac OS X (El Capitan) introduced a new security feature, System Integrity Protection (AKA rootless ). The feature protects certain directories from being modified. In order for the OS X login to function in version 10.11, a file required for the Yubico PAM module to function (pam_yubico.so) needs to be moved to a directory protected by System Integrity Protection. To resolve this issue, it is necessary to temporarily disable System Integrity Protection, move the file, and then enable System Integrity Protection 6.1 Disable System Integrity Protection (OS X only) 1) Restart your system. Once the screen turns black, hold the command and R keys until the Apple icon appears. This will boot your system into Recovery Mode. Note: The slower than normal boot time is expected behavior. 2) Click on the Utilities menu at the top of the screen, and then click Terminal: 3) Type the following into the Terminal window, and then press Enter: csrutil disable 4) Type the following into the Terminal window to restart, and then press Enter: reboot YubiKey OSX Login 2015 Yubico. All rights reserved. Page 13 of 18

14 6.2 Move directory (OS X only) If you have OS X 10.11, run the following command in Terminal: sudo cp /usr/local/cellar/pam_yubico/2.20/lib/security/pam_yubico.so /usr/lib/pam/pam_yubico.so NOTE: The command above assumes you currently have pam_yubico version If you get an error message using this command, you may need to confirm that a different version of PAM isn t installed. 6.3 Enable System Integrity Protection (OS X only) 1) Restart your system. Once the screen turns black, hold the command and R keys until the Apple icon appears. This will boot your system into Recovery Mode. 2) Click on the Utilities menu at the top of the screen, and then click Terminal: 3) Type the following into the Terminal window, and then press Enter: csrutil enable 4) Type the following into the Terminal window to restart, and then press Enter: reboot YubiKey OSX Login 2015 Yubico. All rights reserved. Page 14 of 18

15 7 Configure PAM To this point, you have configured a YubiKey for Challenge Response and installed Xcode Command Line Tools, Homebrew, and the Yubico-PAM module. Next, you will configure the desired user account for YubiKey Authentication. You will have two different options Screensaver (section 7.4) and User Account login (section 7.5). 7.1 Initial PAM setup 1) Log into the account you want to add YubiKey Logon to. 2) In Terminal, run the following command to create a needed directory on your Mac: mkdir m0700 p ~/.yubico 3) Make sure your YubiKey is plugged into your system and configured for Challenge Response (covered in Section 1 of this document), and then run the following command (to create a directory to store the initial challenge and expected response): ykpamcfg -2 At this point, please verify that ykpamcfg has stored the initial challenge and expected response. You should see a confirmation similar to this: Stored initial challenge and expected response in /Users/[USERNAME] /.yubico/challenge-[yubikey SERIAL NUMBER]. If the initial challenge is stored in /var/root/[username]/challenge-[yubikey SERIAL NUMBER], enter the following command into Terminal (where [USERNAME] is replaced with your user name and [YUBIKEY SERIAL NUMBER] is replaced with your YubiKey s 7-digit serial number): sudo cp /var/root/.yubico/challenge-[yubikey SERIAL NUMBER] /Users/[USERNAME]/.yubico Potential error messages: Yubikey core error: no yubikey present This error means the YubiKey is not currently plugged into your Mac. If you receive this, please insert the YubiKey, wait a moment for the YubiKey to initialize, then retry step 3. Failed to read serial number This error means the YubiKey has been inserted, but has not yet properly initialized. Please remove and reinsert the YubiKey, then wait about 10 seconds before retrying step 3. If you are still experiencing this issue, please go to the Apple menu > About This Mac > System Report. Under Hardware, click on USB. The YubiKey needs to be YubiKey OSX Login 2015 Yubico. All rights reserved. Page 15 of 18

16 found in this section. If it s not showing up, please open up a Support Case with Yubico Support at yubi.co/support for further troubleshooting steps. USB Error: kioreturnsuccess This error is related to permissions. Try running the command again elevated as sudo (i.e. sudo ykpamcfg -2). 7.2 Backup YubiKeys It is a good idea to program at least two YubiKeys when implementing the PAM login requirement. If only one is configured and something happens to the YubiKey, you will need to restore the system from a Time Machine backup created prior to implementing PAM in order to log back in to your account. To prepare a backup YubiKey: 1) Follow the procedure in Section 1 to program the backup YubiKey with a Challenge-Response credential. 2) Log in to the user account that needs a backup YubiKey. 3) Open a Terminal window and then run the following command (to create a file to store the initial challenge and expected response): ykpamcfg -2 At this point, please verify that ykpamcfg has stored the initial challenge and expected response. You should see a confirmation similar to this: Stored initial challenge and expected response in /Users/[USERNAME] /.yubico/challenge-[yubikey SERIAL NUMBER]. 7.3 Multiple user accounts and PAM If your OS X computer has multiple user accounts, performing the steps in section 7.4 or 7.5 will affect all users that log in to the computer, so a YubiKey needs to be added to each account. If you need to program additional YubiKeys, refer to section 1 for instructions. You can use the same YubiKey for all accounts, or use a different YubiKey for each account. Follow the steps below on each account: 1) Log in to the user account that needs a backup YubiKey. 2) Open a Terminal window and then run the following command (to create a file to store the initial challenge and expected response): ykpamcfg -2 At this point, please verify that ykpamcfg has stored the initial challenge and expected response. You should see a confirmation similar to this: Stored initial challenge and expected response in /Users/[USERNAME] /.yubico/challenge-[yubikey SERIAL NUMBER]. Repeat steps 1-2 for all user accounts that require a backup YubiKey. YubiKey OSX Login 2015 Yubico. All rights reserved. Page 16 of 18

17 7.4 Configure the OS X User Account to require YubiKey presence when deactivating the Screensaver To require the YubiKey be present in your Mac to deactivate the screensaver, follow the steps below. Please note that the instructions are written using the command line application vi, which is already present in OS X. There are other ways to edit system files, so please feel free to use an alternative method if you prefer: 1) Open Terminal and change directory to /etc/pam.d a. Type cd.. and press Enter b. Type cd.. and press Enter c. Type cd./etc/pam.d and press Enter 2) Now in the /etc/pam.d directory, type sudo vi screensaver and press Enter. Verify the Terminal window now begins with: # screensaver: auth account 3) Press the i key on your keyboard (to change from Command Mode to Insert Mode, which is required to edit the text in a system file). You should now see INSERT at the bottom of the Terminal window. 4) Arrow down to the first letter of the first line that begins with account, and then press Enter. 5) Arrow up one line to the newly-created blank line, and then type auth, press the Spacebar seven (7) times, type required, press the Spacebar seven (7) times, and type pam_yubico.so mode=challenge-response 6) Press the Esc key on your keyboard to exit Insert Mode and return to Command Mode. 7) Type ZZ to save the changes you ve made (it is important to use capital z s, as lowercase z s will not save the file). 8) Close the Terminal window. Next time your Mac goes to screensaver, you should be able to remove your YubiKey, type in your password, and the unlock attempt should fail. For testing purposes, you can also speed up this process by going to the Apple Menu > System Preferences > Desktop & Screensaver, and change the Start After (at the bottom left corner) to 1 Minute. 7.5 Configure the OS X User Account to require YubiKey presence when logging in to the current account To require the YubiKey be present in your Mac to log into your account, follow the steps below. Please note that the instructions are written using the command line application vi, which is already present in OS X. There are other ways to edit system files, so please feel free to use an alternative method if you prefer. The instructions are nearly identical to that of Section 7.4: 1) Open Terminal and change directory to /etc/pam.d a. Type cd.. and press Enter b. Type cd.. and press Enter c. Type cd./etc/pam.d and press Enter 2) Now in the /etc/pam.d directory, type sudo vi authorization and press Enter. Verify the Terminal window now begins with: # authorization: auth account YubiKey OSX Login 2015 Yubico. All rights reserved. Page 17 of 18

18 3) Press the i key on your keyboard (to change from Command Mode to Insert Mode, which is required to edit the text in a system file). You should now see INSERT at the bottom of the Terminal window. 4) Arrow down to the first letter of the first line that begins with account, and then press Enter. 5) Arrow up one line to the newly-created blank line, and then type auth, press the Spacebar seven (7) times, type required, press the Spacebar seven (7) times, and type pam_yubico.so mode=challenge-response 6) Press the Esc key on your keyboard to exit Insert Mode and return to Command Mode. 7) Type ZZ to save the changes you ve made (it is important to use capital z s, as lowercase z s will not save the file). 8) Close the Terminal window. 9) Log out of your user account, and then attempt to log back in without the YubiKey inserted. The login should fail. Next, insert your YubiKey, wait approximately 10 seconds, and then attempt to login again. The login should be successful. YubiKey OSX Login 2015 Yubico. All rights reserved. Page 18 of 18

Configuring a YubiKey for the YubiCloud With the YubiKey Cross-Platform Personalization Tool April 9, 2013 Configuring a YubiKey for the YubiCloud 2012 Yubico. All rights reserved. Page 1 of 8 Introduction

Black Screen and Internet Restoration (Windows) On the rare occasion that SofTest Windows experiences an abnormality either during or immediately following an exam, it may not be capable of automatically

User Manual August 2015 202-11590-02 350 East Plumeria Drive San Jose, CA 95134 USA Support Thank you for selecting NETGEAR products. After installing your device, locate the serial number on the label

Subject: Citrix Remote Access using PhoneFactor Authentication ATTENTION: End users should take note that Main Line Health has not verified within a Citrix environment the image quality of clinical cal

YubiKey Integration for Full Disk Encryption Pre-Boot Authentication Version 1.2 May 7, 2012 Introduction Disclaimer yubico Yubico is the leading provider of simple, open online identity protection. The

Reboot the ExtraHop System and Test Hardware with the Rescue USB Flash Drive This guide explains how to create and use a Rescue USB flash drive to reinstall and recover the ExtraHop system. When booting

Time Stamp Instruction Booklet Time Stamp Introductions Time stamp is a useful solution for backing up and restoring system, it backs up the entire computer system to the Backup Zone. Time Stamp is used

ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference May 2016 Legal Notice For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government

VPN User Guide For Mac System Requirements Operating System: Mac OSX. Internet Browser: Safari (Firefox and Google Chrome are NOT currently supported). Disclaimer Your computer must have the system requirements

Guide to Installing BBL Crystal MIND on Windows 7 Introduction The BBL Crystal MIND software can not be directly installed on the Microsoft Windows 7 platform, however it can be installed and run via XP

Contents Getting Started.....................................................1 Installing the Software...........................................1 Using the Maxtor System Tray Icon................................6

Contents Getting Started.....................................................1 Installing the Software...........................................1 Using the Maxtor System Tray Icon................................6

Accessing vlabs using the VMware Horizon View Client for OSX This document will demonstrate how to download, install, and connect to a virtual lab desktop from a personal Mac OSX computer using the VMware

Network Setup Guide This manual contains the setup information required to use the machine over wired LAN. If you use the machine with USB connection, refer to your setup sheet. Introduction To use the

Horizon FLEX 1.5 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this

System Area Manager Remote Management Remote Management System Area Manager provides remote management functions for its managed systems, including Wake on LAN, Shutdown, Restart, Remote Console and for

User Manual Onsight Management Suite Version 5.1 Another Innovation by Librestream Doc #: 400075-06 May 2012 Information in this document is subject to change without notice. Reproduction in any manner

Horizon FLEX 1.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this

Please Install Your EASE Scan Tool DVD Before Installing Any Other Software That Came With Your Package. SECTION I - Installation ATTENTION: Do NOT connect an EASE Vehicle Interface Device to your Computer

Apple Server Diagnostics User Guide For Version 3X106 KKApple Inc. 2009 Apple Inc. All rights reserved. Under the copyright laws, this manual may not be copied, in whole or in part, without the written

Using BitLocker to encrypt a Windows 8 device 1. Before BitLocker can be used to encrypt the portable device, the Trusted Platform Module must be turned on via the BIOS. Boot the device and press F2, F10,

Overview Ocster Backup - Rescue System The software allows you to create a rescue CD, DVD or USB-Stick. This rescue system is intended for two kinds of situations: 1. To restore a backup to your main hard

Error! Use the Home tab to apply Titre 1 to the text that you want to appear here.error! Use the Home tab to apply Titre 1 to the text that you want to appear here. Theater Management Software V5.6 Installation

The Gitcon Access Management Software Installation Guide is a publication of Kaba Mas LLC (hereinafter Kaba Mas). No part of this book may be reproduced or transmitted in any form or by any means, electronic

Horizon FLEX 1.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this

IBM Rapid Restore PC powered by Xpoint - v2.02 (build 6015a) User s Reference Guide Internal IBM Use Only This document only applies to the software version listed above and information provided may not

Universal Management Service 2015 UMS 2015 Help All rights reserved. No parts of this work may be reproduced in any form or by any means - graphic, electronic, or mechanical, including photocopying, recording,

USB Bare Metal Restore: Getting Started Prerequisites Requirements for the target hardware: Must be able to boot from USB Must be on the same network as the Datto device Must be 64 bit hardware Any OSs

DataSuite Installation and Activation Guide This document provides a detailed overview of the installation and activation procedure for the DataSuite v2.4.0.0 software. DataSuite allows you to configure

Raspberry Pi Setup Tutorial The Raspberry Pi is basically a miniature linux- based computer. It has an ARM processor on it, specifically the ARM1176JZF- S 700 MHz processor. This is the main reason why

SOFTWARE USER GUIDE Aleratec 1:10 USB 3.0 Copy Cruiser Mini Part No. 330113, 330113EU Copyright/Model Identification The content of this manual is for informational purposes only and is subject to change

AzMERIT Secure Browser Installation Manual For Technology Coordinators 2014-2015 Revised January 5, 2015 Prepared by the American Institutes for Research Descriptions of the operation of the Test Information

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link: ftp://ftp.software.ibm.com/storage/tivoli-storagemanagement/maintenance/client/v6r2/windows/x32/v623/

Wazza s QuickStart 1. Leopard Server - Install & Configure DNS About this Document This document is the first in a series of documents describing the process of installing and configuring a Mac OS X 10.5

1 Acer erecovery Management Developed by Acer's software team, Acer erecovery Management is a tool that provides you with an easy, reliable and safe means of restoring your computer to its factory default

YubiKey Authentication Module Design Guideline Yubico Application Note Version 1.0 May 7, 2012 Introduction Disclaimer Yubico is the leading provider of simple, open online identity protection. The company

Legal Notes Unauthorized reproduction of all or part of this guide is prohibited. The information in this guide is subject to change without notice. We cannot be held liable for any problems arising from

M/Connect Troubleshooting Guide The following guide helps to identify any problems that may prevent the M/Connect dock from functioning properly. Please note that all connections on M/Connect are tested

Setup Guide Disclaimer The information in this document is subject to change without notice and does not represent a commitment on the part of Native Instruments GmbH. The software described by this document

Instructions to Install Ubuntu Linux 12.04 (LTS) along with Windows Back Up Your Existing Data! This is highly recommended that you should take backup of your entire data before start with the installation

To ensure the functioning of the site, we use cookies. We share information about your activities on the site with our partners and Google partners: social networks and companies engaged in advertising and web analytics. For more information, see the Privacy Policy and Google Privacy &amp Terms.
Your consent to our cookies if you continue to use this website.